Autopsy User Documentation
4.17.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
|
The Result Viewer is located on the top right of the Autopsy screen and shows the the contents of what was selected in the Tree Viewer.
The main table viewer in the "Listing" tab displays the contents of the current selection as a table with selected details (properties) of each item. For files, some examples of the properties that this viewer shows are: name, time (modified, changed, accessed, and created), size, flags (directory and meta), mode, user ID, group ID, metadata address, attribute address, and type (directory and meta). For other data types, the columns will be different. Click the "Table" tab to select this view.
The following shows the main table viewer when a folder is selected in the Data Source section of the Tree Viewer.
As mentioned above, a table viewer is context-aware which means it will show applicable columns for the data type selected. The following shows the data in the "Web Bookmarks" node in the Tree Viewer.
By default, the first three columns after the file name in a table viewer are named "S", "C" and "O".
These columns display the following information:
To display more information about why an icon has appeared, you can hover over it. These columns query the Central Repository as well as the case database. If this seems to be having a performance impact, you can disable them through the View Options. This will remove the Other occurrences column entirely, the Comment column will be based only on tags, and the Score column will no longer be able to reflect Notable items.
You can export the contents of a table viewer to a CSV file in two ways. The "Save table as CSV" button in the upper left will save the entire contents of the table viewer to a CSV file. You can also select rows in the table viewer and then right-click and select "Export selected rows to CSV" to save only a subset of the rows:
Table viewers in the Results Viewer have certain right-click functions built-in into them that can be accessed when a row of a particular type is selected (a file, a directory, or a result). Here are some examples that you may see:
Thumbnail viewers display items selected in the Tree Viewer as a table of thumbnail images in adjustable sizes. This viewer only supports "picture" files (it currently only supports the JPG, GIF, and PNG formats). Click on the Thumbnail tab in the Listing tab to select this view. Note that for a large number of images in a directory selected in the Data Sources area of the Tree Viewer, or for a selection in the Views area of the Tree Viewer that contains a large number of images, it might take a while to populate the thumbnail viewer for the first time, i.e., before the thumbnails are cached.
A table viewer can perform slowly when displaying a large numbers of rows. To address this, when there are over a certain numer of rows (10,000 by default), the results will be split into pages. The paging controls at the top right of the table view allow you to browse the different pages.
You can adust the page sizes through View Options or turn paging off entirely.
Copyright © 2012-2021 Basis Technology. Generated on Tue Jan 19 2021
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.